+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 23
How do you do....it? Thread, Proxy in Technical; At the moment our students are going through a plain ISA 2000 proxy server. It works well enough, we have ...
  1. #1
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,245
    Thank Post
    51
    Thanked 275 Times in 213 Posts
    Blog Entries
    6
    Rep Power
    113

    Proxy

    At the moment our students are going through a plain ISA 2000 proxy server. It works well enough, we have no technical problems and internet access is as fast as our connection allows. ISA allows you to decide who has access and who doesn't, you can easily filter MIME types, schedule hours, bandwidth priorities and keeps meaningful and detailed logs. However one feature that ISA lacks is any kind of meaningful filtering. Unfortunately third party ISA filters like Surfcontrol cost a fortune so those aren't really viable options.

    We absolutely must have transparent authentication for students. I don't want them to have to enter their user name and password each and every time they use the internet as as soon as one of them gets a ban, they'll use someone else's password instead.

    I've been looking into the various prebuild Squid packages like IPCop, Endian and Smoothwall. However I've hit a snag. Adding NTLM and LDAP authentication to IPCop and Smoothwall is very easy, just install the Advproxy add on and it works. I've chosen Dansguardian for filtering on the basis of recommendations here and because our ISP uses it to great effect. For Advproxy's authentication methods to work the "Transparent" proxy mode needs to be turned off. From what I understand, for Dansguardian to work properly, "Transparent" mode needs to be turned on.

    I mentioned Endian up there. Endian appears to be a version of IP Cop with Dansguardian and Advproxy bundled in. However they use an old version of Advproxy which has broken NTLM and LDAP authentication so it is useless for my needs.

    So, bar using two servers (One for filtering, one for authentication), how do I do this? :P

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414

    Re: Proxy

    According to the endian documentation integrated authentication works.

    http://www.endian.it/fileadmin/docum...tepbystep.ldap

    Ben

  3. #3
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,245
    Thank Post
    51
    Thanked 275 Times in 213 Posts
    Blog Entries
    6
    Rep Power
    113

    Re: Proxy

    I can promise you, it doesn't.

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Proxy

    You can't have a 'transparent' proxy and have authentication. The two things are multually exclusive.

    You can have NTLM auth though, which is transparent to your users (and I suspect what you really meant) and use filtering. It's exactly how I have things setup here.

  5. #5
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,245
    Thank Post
    51
    Thanked 275 Times in 213 Posts
    Blog Entries
    6
    Rep Power
    113

    Re: Proxy

    I'm just reporting what it says in the software. May I refer you to this screenshot. See the

    According to the documentation I can find on the DG mod for Smoothwall, that "Transparent on Green" box has to be checked for it to work. (see here. However check that "Transparent on green" box and try turning on the NTLM or LDAP auth and it says "Transparent mode must be disabled for authentication". Taken from the advproxy manual here:

    4.1.2 Transparent on <Interface>
    If the transparent mode is enabled, all requests for the destination port 80 will be forwarded to the Proxy
    Server without the need of any special configuration changes to your clients.

    Note: Transparent mode works only for destination port 80. All other requests (e.g. port 443 for SSL) will
    bypass the Proxy Server.

    Note: When using any type of authentication, the Proxy may not run in transparent mode.

    Note: To enforce the usage of the Proxy Server in non-transparent mode, you will have to block all outgoing
    ports usually used for http traffic (80, 443, 8000, 8080, etc.).
    So, to recap, yes I do want transparent authentication for my users (IE they don't get presented with an authentication box when they access the net). I stated as much in the original post. However it seems I can't have this Transparent on Green mode turned on if I want DG to work properly on the same box.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,803
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Proxy

    Ok. Don't run it in 'transparent' mode. ie, when it's listening on port 80. Run it on it's normal port (3128? 8080?) and set the proxy in the GPOs. Dansguardian should be quite happy with that. It's how I have it setup here.

  7. #7
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106

    Re: Proxy

    What Geoff is saying is that you are getting transparent authentication mixed up with a transparent proxy.
    The authentication is transparent by default with advanced proxy. The transparent option refers to all web requests that hit the gateway being rerouted to the proxies normal port rather than the proxy port being specificially set it the browser.

  8. #8
    pooley's Avatar
    Join Date
    Sep 2005
    Location
    S Wales
    Posts
    1,129
    Thank Post
    77
    Thanked 118 Times in 99 Posts
    Rep Power
    66

    Re: Proxy

    All the schools in our lea connect to an isa 2000 server running surfcontrol for web filtering.

    To enable transparent authentication (mainly in primaries) we install a pyhton NTLM script on a server and point all the desktops at the server ip.

    Works well and if you use ntwrapper you can install the script as a service and jst forget about it.

  9. #9

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Proxy

    python? what's it like performance wise?

    I suppose as it deals authentication it's only called once or twice in a session.

  10. #10
    pooley's Avatar
    Join Date
    Sep 2005
    Location
    S Wales
    Posts
    1,129
    Thank Post
    77
    Thanked 118 Times in 99 Posts
    Rep Power
    66

    Re: Proxy

    Works fine m8 - no performance issues here

    http://www.python.org/ for program

    http://www.geocities.com/rozmanov/ntlm/ - ntlm script

    Briefly

    Install python 2.4

    Unzip the ntlm into the python directory (overwrite files)

    edit the server.cfg file; use the pyhton app IDLE to edit.

    once edited run the main.py file - ntlm script is now running

    to set as service download and install ntwrapper (allows 1 app to be installed as a service for free)

    edit the runserver.bat file in the python dir to point to main.py

    install the runserver.abt file as a service - job done

  11. #11

    Join Date
    Mar 2006
    Posts
    537
    Thank Post
    2
    Thanked 3 Times in 2 Posts
    Rep Power
    19

    Re: Proxy

    Thanks. I will look at the links.
    Any reason to NT Wrapper over SrvyAny?

  12. #12
    pooley's Avatar
    Join Date
    Sep 2005
    Location
    S Wales
    Posts
    1,129
    Thank Post
    77
    Thanked 118 Times in 99 Posts
    Rep Power
    66

    Re: Proxy

    just that i could not get srvany to work with this script.

    Whatever works

  13. #13


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195

    Re: Proxy

    I got good news, and I got bad news.

    Bad news 1st. Theoretically, it is impossible to auth against a transparent proxy.
    This is because the browser does not know there is a proxy there so if suddently someone asked it to authenticate, it would confuse the poor thing.

    Remember that transparent proxying is just a firewall trick.

    Good news 1: you can "emulate" t/prox t/auth using out-of-band auth like ident.

    Good news 2: There is another way too do it, but only BlueCoat (to my knowledge) support this and their implementation is flaky and expensive.

    What I can recommend, however, is that SmoothWall will be bringing out a product which supports this type of Authentication in the next 8 months. I doubt version 5 of SchoolGuardian will support it though, as that comes out in Januaray, and there are few developer-months remaining.

  14. #14

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,403
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319

    Re: Proxy

    @tom_newton: You say the authentication problem stems from the browser not expecting the auth request upon requestion a web page. In transparent mode, is the only difference that the proxy is accepting connections on port 80? If that's true, in theory it should be possible to change the proxy port on the client to port 80 in the usual way, GPO, script etc.? Or is there something actually more complicated behind the scenes that's going on?

  15. #15


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,463
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195

    Re: Proxy

    Quote Originally Posted by webman
    @tom_newton: You say the authentication problem stems from the browser not expecting the auth request upon requestion a web page. In transparent mode, is the only difference that the proxy is accepting connections on port 80? If that's true, in theory it should be possible to change the proxy port on the client to port 80 in the usual way, GPO, script etc.? Or is there something actually more complicated behind the scenes that's going on?
    Yeah, that would be a solution of sorts - however, that's the same thing as having a non-transparent proxy - either you have to set all your clients to know there's a proxy, or you have to do some out-of-band auth.

    SmoothWall are working on OOB auth that requires nothing more than a web browser.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. apt-get proxy
    By Samson in forum *nix
    Replies: 24
    Last Post: 19th September 2009, 12:33 PM
  2. how to set proxy for explorer.exe
    By randomconept in forum General Chat
    Replies: 8
    Last Post: 22nd October 2007, 11:23 AM
  3. Proxy switch "proxy on" & " proxy off" software
    By GavRob in forum Network and Classroom Management
    Replies: 20
    Last Post: 30th July 2007, 10:05 PM
  4. FTP proxy
    By NetworkGeezer in forum Wireless Networks
    Replies: 1
    Last Post: 2nd February 2007, 08:59 PM
  5. proxy nightmare
    By alonebfg in forum Wireless Networks
    Replies: 15
    Last Post: 20th November 2006, 05:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •